Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Somebody has been sending emails using my account?


  • Please log in to reply
9 replies to this topic

#1 touchring

touchring

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 15 January 2009 - 08:42 AM

Hi,

I've been receiving a dozen bounced back delivery failure notices to my email account for the past 3 days - joshua@mycompany.com (this is representative) - such as the following.

I suspect that either my PC, smtp account or mail server has been compromised, but i'm not able to interpret via the bounced email whether the sender is just spoofing my email account. I've also tried to find a way to view outgoing mails on my Ensim server, but can't find a way.

The mail is a scam so i'm worried about legal consequences. Hope someone can help. Thank you.


Hi. This is the qmail-send program at brain.fpp.pl.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<mun_ked@czat.pl>:
vdeliver: Invalid or unknown virtual user 'mun_ked'

--- Below this line is a copy of the message.

Return-Path: <joshua@mycompany.com>
Received: (qmail 24794 invoked from network); 15 Jan 2009 11:48:08 +0100
Received: from dsl.static.85-105-17806.ttnet.net.tr (85.105.69.142)
by brain.fpp.pl with SMTP; 15 Jan 2009 11:48:08 +0100
Received: from [85.105.69.142] by mail.mycompany.com; Thu, 15 Jan 2009 12:54:06 +0200
From: "Shanna Thayer" <joshua@mycompany.com>
To: <mun_ked@czat.pl>
Subject: LUX and premium class design and construction activity. Work proposals in Europe
Date: Thu, 15 Jan 2009 12:54:06 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: Aca6QC306PSW68KMXWQT6ODQ81T3GI==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Message-ID: <01c97710$5968eb00$8e456955@joshua>

“LUXVESTE” Design Studio
Smidjuvegur 1, IS-201 Kopavogur, Iceland
Recruitment office, main branch

Good Day,

I'm happy to tell you that during today's Economical Crisis we have a vacancy for you.

Design Studio “Karla Luxury” in collaboration with constructive-trimming Company of “Veste” are happy to welcome you here and to announce that from now on you are granted unique opportunities coming as a result of the Companies’ fusion into a brand new business institution of “LUXVESTE”.

Due to our service expansion and a first time entrance to global European Market, customers from almost every European region can take full advantage of our PREMIUM and LUX-class design, constructive scaling and trimming services. Furthermore “LUXVESTE” is ready to work and cooperate on mutual conditions and benefits.

We don’t just simply offer our cooperation to you; we offer you a real-time work. A work you will earn wages for. Regular wages of 2000 EUR net salary per month + fixed sales or bargains percentage.

There’s no need for you to get up early and rush for the 9 in the morning buss to get to your office in time anymore. No need to occupy yourself with dull activity. “LUXVESTE” work proposal includes online activity and contact with our sales managers and regional representatives, personal meetings and assistance during visits of our customers to your region, financial responsibility for transactions by means of your services and oblige to have land or mobile phone and regular Internet connection.

Our main office is located in Iceland, thus our Company is registered in an offshore Panama zone so as to minimize financial losses and avoid crisis-hit European tax obligations and Collapsed Icelandic Economy. Today’s world economic crisis compels most of the Companies to economize on costs and charges therefore all of our bank accounts are registered in an offshore Panama region.
The less taxes paid – the more profit gained. The more profit gained – the better offers, terms and conditions for our customers there are. In the end we have customers totally satisfied with what we do and willing to continue their business with “LUXVESTE”.

“LUXVESTE” invite enterprising, energetic persons for our customers’ international and inter-continental transactions processing, for offshore financial system innovations monitoring and legal bypass of European tax obligations on purpose of getting maximum profit for both “LUXVESTE” and its companions.

“LUXVESTE” offer you to become regional representative’s legal ASSISTANT on behalf of “LUXVESTE” office in Europe.
Following cooperation is authorized and built upon a working agreement.

We guarantee:
2000 EUR net salary per month + fixed sales or bargains percentage (the percentage depends on your qualifications)
Career growth and social benefits
6 weeks of paid leave a year
Social guarantees

Specific information about working and cooperation opportunities will be sent by your request.


For more information or for visiting our web-site, please reply back to ONLY my corporative email address: career.perspectives@gmail.com


“LUXVESTE” marketing department
Smidjuvegur 1, IS-201 Kopavogur, Iceland
Recruitment office, main branch
Klaus Koleman

BC AdBot (Login to Remove)

 


#2 karbo1

karbo1

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:20 PM

Posted 15 January 2009 - 08:50 AM

First thing to do would be to inform your Internet provider about the situation.
Please post back if we found the solution

#3 touchring

touchring
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 15 January 2009 - 08:54 AM

The problem is that i'm using my ensim server as pop mail server.

A bit more info, i downloaded maillog from \var\log but can't find the originating emails that are supposedly sent and bounced, based on the bounced emails i got.

Edited by touchring, 15 January 2009 - 10:18 AM.


#4 johnny303

johnny303

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:12:20 AM

Posted 15 January 2009 - 10:00 AM

Hello, I am one of - probably thousands - of users who received that mail yesterday. However, I doubt if your true account has been compromised in any way, as real the source of the mail I got is: a.eshuys@a-b.de, and it is very likely to be coming from hundreds of other addresses as well. Therefore I think the spam in question is generated by smtp servers on a "zombie farm", i.e. malware infected computers of users around the world and it is only made to look as if coming from your account.
I had experienced similar attacks in the past. The good news is they usually stop after a few days. The bad news - I even had to change my e-mail account address a year ago. Just imagine the business and moral damages.
Anyway, there seems to be no easy solution to your problem, as there is no global law enforcement to cope with such guys.

Edited by johnny303, 15 January 2009 - 10:02 AM.


#5 touchring

touchring
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 15 January 2009 - 10:28 AM

Thanks, what spooked me is this line in the bounced email:

Received: from [85.105.69.142] by mail.mycompany.com; Thu, 15 Jan 2009 12:54:06 +0200

If i'm not mistaken, this means that the email was sent from the client on 85.105.69.142 through my mail server mail.mycompany.com!?

As mentioned, i checked maillog from \var\log but can't find the originating email in my log (other than the bounced email message that came back).

#6 johnny303

johnny303

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:12:20 AM

Posted 15 January 2009 - 10:57 AM

Whois search indicates IP: 85.105.69.142 is located in Turkey. Do you live in Turkey? Even if you do, e-mails can be easily forged to look as if they were sent from your provider's server. There are freeware applications which allow sending mail from your computer, capable of posing as any server you can think of, not to mention dozens of malware. You should not worry too much if you can still use your mailbox. Spam/scam sent from your PC, namely your IP, would be a legal issue, as you are responsible for damages done by your machine. Mind you, even spam really sent from mail.mycompany.com is not necessarily your concern.
By the way, be sure to scan your computer for malware on a regular basis.

Edited by johnny303, 15 January 2009 - 11:06 AM.


#7 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:06:20 PM

Posted 15 January 2009 - 12:46 PM

Your email address is being spoofed. What this means: A spammer wants to send out spam, but does not want to use his/her email address. So he/she decides to use someone elses. All they have to do is put your address in the From field.
Thus it appears you sent the mail. And you get the bounce notices when mail is sent to an invalid address.
Spoofing mail addresses is no different than me writing a letter, putting it an envelope, addressing it, and using your home address as the return address.
There is nothing you can do. The good news is that the spammers don't use another persons address for to long.
All you can do is wait it out.

#8 touchring

touchring
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 17 January 2009 - 03:46 AM

Thanks, i guess i'll wait and see what happens next. :thumbsup:

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:20 PM

Posted 18 January 2009 - 01:05 PM

Hello touchring,

I had that happen to me BEFORE I even had a computer. I used public access computers exclusively. Here is what happened. There is a type of software called a spambot. These spambots go through websites and harvest e-mail addresses, then use them to send spam, both to send and receive. I tell you, I had a mess on my hands. This is why we remove e-mail addresses from signatures and posts on this forum.

Another possibility is that one or more of your contacts has an infection on his/her computer and his/her e-mail address book has been compromised and spam is being set to and from the e-mail addresses in that/those address books.

Your best solution is to change your e-mail address. Changing just the user name portion is fine, and then do not post your e-mail address on any website. Also, do not open any suspected spam messages. These messages may contain a 1 pixel clear image, and if the e-mail is opened that image will tell the sender that he/she has a live target. And by no means click on any links in them and do not respond to them, this will increase both the sending and receiving of spam. I learned this the hard way.

Now, I think you are using an e-mail client such as Outlook, Thunderbird etc. In order to see the full path information, right-click on the title of a suspect message and save it to the desktop. Now, navigate to the saved file, right click on it, then choose to open it with notepad. When you report a suspect spam message, such as a spoof from Paypal or your bank, it is this saved file that you would send so they can analyze it.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 muuji

muuji

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:beijing
  • Local time:07:20 AM

Posted 23 January 2009 - 12:53 AM

Your email address is being spoofed. What this means: A spammer wants to send out spam, but does not want to use his/her email address. So he/she decides to use someone elses. All they have to do is put your address in the From field.


how can someone put your address in the From Field??? i use Yahoo - i can't see a "from field" when I'm composing a new email. the reason i ask is this - a while ago i received an email from a friend. instead of answering her by a reply email, i phoned her - she said she hadn't sent that email at all! i then assumed it was some sort of virus or some such thing at work, although this didn't seem to quite gel, as there were no attachments or any other strange things - just a seemingly 'normal' email. perhaps this "from field" alteration provides the answer!
Muuji




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users